Within the Microsoft Entra admin center, the Resource audit can be reviewed to identify PIM elevations for users, including key information such as the requestor user, subject user, action, domain, and primary target (role assigned/removed). This can aid investigators by providing an audit trail for PIM elevations and the duration for which an eligible role was attached to a user account.

The following URL can be used to view this activity log, provided the investigator's account has the Privileged Role Administrator role assigned, or a role with higher privileges: https://entra.microsoft.com/#view/Microsoft_Azure_PIMCommon/ResourceMenuBlade/~/Audit/resourceId//resourceType/tenant/provider/aadroles

Sections

ID	Name	Description
PR024	Increase Privileges	A subject uses a mechanism to increase or add privileges assigned to a user account under their control. This enables them to access systems, services, or data that is not possible with their standard permissions.
PR018	Circumventing Security Controls	A subject abuses their access or conducts unapproved changes to circumvent host-based security controls.
IF011	Providing Access to a Unauthorized Third Party	A subject intentionally provides system or data access to a third party that is not authorized to access it.
PR015.004	Bulk Email Collection	A subject creates an email collection file such as a Personal Storage Table (PST) file or an MBOX file to copy an entire mailbox or subset of a mailbox containing sensitive information.

References

https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-use-audit-log